News, Analysis and Perspective for Solution Providers and Technology Integrators

At the Security of Things Forum in Cambridge, Mass., Department of Homeland Security Assistant Secretary Robert Silvers called for companies to address IoT security risks with a set of frameworks and best practices.

By
Sarah KurandaSeptember 22, 2016, 12:56 PM EDT

While there’s a massive and growing opportunity around the Internet of Things, Department of Homeland Security Assistant Secretary Robert Silvers cautioned that security needs to be part of the conversation around connected devices, calling it a ’public safety issue.’

’As we connect more and more of our national infrastructure, we do, however, have to see the complete picture,’ Silver said at the Security of Things Forum in Cambridge, Mass., Thursday. ’We’re growing a national dependency and it’s important that we recognize that and that Internet of Things security, for that reason, is now a public safety issue. … We need this architecture to be built on a secure and trustworthy foundation.’

Matt Johnson, CEO of Baltimore, Md.-based Phalanx Secure Solutions, said he sees a need for better IoT security with his own customers, who he said often don’t realize the connected devices they have or the security risks they may pose. He said there is a gap in the market for security measures to address that problem.

’IoT is creating an incredibly complicated and large attack vector that most people are completely unaware of. … With the amount of infrastructure that is being controlled by IoT, it could easily become a public safety issue,’ Johnson said.

While it might seem like ’common sense’ to security professionals, Silvers said those risks aren’t being addressed adequately today, with many companies pushing products to market without security best practices.

Those practices need to change sooner rather than later, Silvers said, as fixing IoT security after the fact is significantly more difficult than building security best practices into production.

’We have a very small and closing window of time in which to take decisive action,’ Silvers said. ’The challenge of addressing IoT security on the front end is outweighed only by the far greater challenge of trying to bolt on security on the back end once an ecosystem is deployed. We will need to think about what we can do right now to get this architecture built the right way.’

Silvers called for both short-term and long-term solutions to IoT security to be developed in parallel. Some of those efforts are already under way, he said, citing examples from the National Institute of Standards and Technology and the FDA around guidance for device security and architecture, as well as several private sector undertakings.

Silvers said physical recalls for vulnerabilities, as many companies do today, help address security issues, but can be costly and require a lot of effort on behalf of the customer. Instead, he urged for over-the-air patching, device manufacturer transparency, and frameworks for security best practices in production.

The DHS is also working to develop a set of unifying principles for IoT security, Silvers said, including best practices for identifying and resolving security risks. Silvers said the DHS will release these standards as a starting point for IoT security after extensive consultation with industry stakeholders, work he said is already under way.

’Our vision is that executives can use our principles as a baseline for when they meet with their security team to see how security is being accounted for in the business plan and also used by the security teams themselves to organize and categorize their critical lines of effort in their security work,’ Silvers said.